mirror of
https://git.yoctoproject.org/poky
synced 2026-06-16 07:53:47 +02:00
7c4bd642e4
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings. Reference: https://security-tracker.debian.org/tracker/CVE-2024-39908 Upstream-patches:f1df7d13b3d146162e9ab5bf109a59b8a5f4cd5c0af55fa49dc1b64c174e9f1415a261c33ea49810a79ac8b4b467efb5951e1f1e6e9b40910e5a2b48(From OE-Core rev: 6e0b70843422cd7cdb25a9e1520dd64bf701fea6) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
47 lines
1.4 KiB
Diff
47 lines
1.4 KiB
Diff
From f1df7d13b3e57a5e059273d2f0870163c08d7420 Mon Sep 17 00:00:00 2001
|
|
From: Sutou Kouhei <kou@clear-code.com>
|
|
Date: Mon, 20 May 2024 12:17:27 +0900
|
|
Subject: [PATCH] Add support for old strscan
|
|
|
|
Fix GH-132
|
|
|
|
If we support old strscan, users can also use strscan installed as a
|
|
default gem.
|
|
|
|
Reported by Adam. Thanks!!!
|
|
|
|
CVE: CVE-2024-39908
|
|
|
|
Upstream-Status: Backport [https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420]
|
|
|
|
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
|
|
---
|
|
.../gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
|
|
index eab942d..8ea8b43 100644
|
|
--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
|
|
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
|
|
@@ -7,6 +7,17 @@ require "strscan"
|
|
|
|
module REXML
|
|
module Parsers
|
|
+ if StringScanner::Version < "3.0.8"
|
|
+ module StringScannerCaptures
|
|
+ refine StringScanner do
|
|
+ def captures
|
|
+ values_at(*(1...size))
|
|
+ end
|
|
+ end
|
|
+ end
|
|
+ using StringScannerCaptures
|
|
+ end
|
|
+
|
|
# = Using the Pull Parser
|
|
# <em>This API is experimental, and subject to change.</em>
|
|
# parser = PullParser.new( "<a>text<b att='val'/>txet</a>" )
|
|
--
|
|
2.40.0
|
|
|